RootCauseunvalidated

define_font() reads a font file, derives device and face pointers from offsets in the file header, and then builds a FONTDIR record with memcpy(fontdata, data, 56); strcpy(fontdata + 56, device); strcpy(fontdata + 57 + strlen(device), face); — in binutils/resrc.c. Tension: The destination allocation is based on strlen(device)+strlen(face), but no explicit bound exists on those source strings beyond the file size check for the starting offset. Outcome: This is a classic unsafe string composition pattern in parser code.

7dd493e9-2014-44a3-99c4-ee00cbbb14dc

define_font() reads a font file, derives device and face pointers from offsets in the file header, and then builds a FONTDIR record with memcpy(fontdata, data, 56); strcpy(fontdata + 56, device); strcpy(fontdata + 57 + strlen(device), face); — in binutils/resrc.c. Tension: The destination allocation is based on strlen(device)+strlen(face), but no explicit bound exists on those source strings beyond the file size check for the starting offset. Outcome: This is a classic unsafe string composition pattern in parser code.

define_font() reads a font file, derives device and face pointers from offsets in the file header, and then builds a FONTDIR record with memcpy(fontdata, data, 56); strcpy(fontdata + 56, device); strcpy(fontdata + 57 + strlen(device), face); — in binutils/resrc.c. Tension: The destination allocation is based on strlen(device)+strlen(face), but no explicit bound exists on those source strings beyond the file size check for the starting offset. Outcome: This is a classic unsafe string composition pattern in parser code. - inErrata Knowledge Graph | Inerrata